firewall high-speed logging - cisco...fieldid type length description...

Firewall High-Speed Logging

The Firewall High-Speed Logging feature supports the high-speed logging (HSL) of firewall messages byusing NetFlow Version 9 as the export format.

This module describes how to configure HSL for zone-based policy firewalls.

• Finding Feature Information, on page 1• Information About Firewall High-Speed Logging, on page 1• How to Configure Firewall High-Speed Logging, on page 20• Configuration Examples for Firewall High-Speed Logging, on page 23• Additional References for Firewall High-Speed Logging, on page 24• Feature Information for Firewall High-Speed Logging, on page 24

Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About Firewall High-Speed Logging

Firewall High-Speed Logging OverviewZone-based firewalls support high-speed logging (HSL). When HSL is configured, a firewall provides a logof packets that flow through routing devices (similar to the NetFlowVersion 9 records) to an external collector.Records are sent when sessions are created and destroyed. Session records contain the full 5-tuple information(the source IP address, destination IP address, source port, destination port, and protocol). A tuple is an orderedlist of elements.

HSL allows a firewall to log records with minimum impact to packet processing. The firewall uses bufferedmode for HSL. In buffered mode, a firewall logs records directly to the high-speed logger buffer, and exportsof packets separately.

Firewall High-Speed Logging1

https://tools.cisco.com/bugsearch/search

http://www.cisco.com/go/cfn

A firewall logs the following types of events:

• Audit—Session creation and removal notifications.

• Alert—Half-open and maximum-open TCP session notifications.

• Drop—Packet-drop notifications.

• Pass—Packet-pass (based on the configured rate limit) notifications.

• Summary—Policy-drop and pass-summary notifications.

The NetFlow collector issues the show platform software interface F0 brief command to map theFW_SRC_INTF_ID and FW_DST_INTF_ID interface IDs to the interface name.

The following sample output from the show platform software interface F0 brief command shows that theID column maps the interface ID to the interface name (Name column):Device# show platform software interface F0 brief

Name ID QFP IDGigabitEthernet0/2/0 16 9GigabitEthernet0/2/1 17 10GigabitEthernet0/2/2 18 11GigabitEthernet0/2/3 19 12

NetFlow Field ID DescriptionsThe following table lists NetFlow field IDs used within the firewall NetFlow templates:

Table 1: NetFlow Field IDs

DescriptionLengthTypeField ID

NetFlow ID Fields (Layer 3 IPv4)

Source IPv4 address48FW_SRC_ADDR_IPV4

Destination IPv4 address412FW_DST_ADDR_IPV4

Source IPv6 address1627FW_SRC_ADDR_IPV6

Destination IPv6 address1628FW_DST_ADDR_IPV6

IP protocol value14FW_PROTOCOL

IPv4 identification454FW_IPV4_IDENT

IP protocol version160FW_IP_PROTOCOL_VERSION

Flow ID Fields (Layer 4)

TCP flags16FW_TCP_FLAGS

Source port27FW_SRC_PORT

Destination port211FW_DST_PORT


Firewall High-Speed LoggingNetFlow Field ID Descriptions


ICMP 1 type value1176FW_ICMP_TYPE

ICMP code value1177FW_ICMP_CODE

ICMP Version 6 (ICMPv6) type value1178FW_ICMP_IPV6_TYPE

ICMPv6 code value1179FW_ICMP_IPV6_CODE

TCP sequence number4184FW_TCP_SEQ

TCP acknowledgment number4185FW_TCP_ACK

Flow ID Fields (Layer 7)

Layer 7 protocol ID. Identifies the Layer7 application classification used byfirewall inspection. Normal records use2 bytes, but optional records use 4 bytes.

295FW_L7_PROTOCOL_ID

Flow Name Fields (Layer 7)

Layer 7 protocol name. Identifies theLayer 7 protocol name that correspondsto the Layer 7 protocol ID(FW_L7_PROTOCOL_ID).

3296FLOW_FIELD_L7_PROTOCOL_NAME

Flow ID Fields (Interface)

Ingress SNMP 2 ifIndex210FW_SRC_INTF_ID

Egress SNMP ifIndex214FW_DST_INTF_ID

Ingress (initiator) VRF 3 ID4234FW_SRC_VRF_ID

Egress (responder) VRF ID4235FW_DST_VRF_ID

VRF name32236FW_VRF_NAME

Mapped Flow ID Fields (Network Address Translation)

Mapped source IPv4 address4225FW_XLATE_SRC_ADDR_IPV4

Mapped destination IPv4 address4226FW_XLATE_DST_ADDR_IPV4

Mapped source port2227FW_XLATE_SRC_PORT

Mapped destination port2228FW_XLATE_DST_PORT

Status and Event Fields




High level event codes

• 0—Ignore (invalid)

• 1—Flow created

• 2—Flow deleted

• 3—Flow denied

• 4—Flow alert

1233FW_EVENT

Extended event code. For normal recordsthe length is 2 byte, and 4 byte foroptional records.

235,001FW_EXT_EVENT

Timestamp and Statistics Fields

Time, in milliseconds, (time since 0000hours UTC 4 January 1, 1970) when theevent occurred (if the event is amicroevent, use 324 and 325, if it is ananoevent)

8323FW_EVENT_TIME_MSEC

Total number of Layer 4 payload bytesin the packet flow that arrives from theinitiator

4231FW_INITIATOR_OCTETS

Total number of Layer 4 payload bytesin the packet flow that arrives from theresponder

4232FW_RESPONDER_OCTETS

AAA Fields

AAA 5 user name20 or 64dependingon thetemplate

40,000FW_USERNAME

AAA user name of the maximumpermitted size

6440,000FW_USERNAME_MAX

Alert Fields

Half-open session entry count435,012FW_HALFOPEN_CNT

Time, in seconds, when the destination isblacked out or unavailable

435,004FW_BLACKOUT_SECS

Configured maximum rate of TCPhalf-open session entries logged in oneminute

435,005FW_HALFOPEN_HIGH




Current rate of TCP half-open sessionentries logged in one minute

435,006FW_HALFOPEN_RATE

Maximum number of sessions allowedfor this zone pair or class ID

435,008FW_MAX_SESSIONS

Miscellaneous

Zone pair ID435,007FW_ZONEPAIR_ID

Class ID451FW_CLASS_ID

Zone pair name6435,009FW_ZONEPAIR_NAME

Class name64100FW_CLASS_NAME

Extended event description3235,010FW_EXT_EVENT_DESC

Cisco Trustsec source tag234000FLOW_FIELD_CTS_SRC_GROUP_TAG

Number of packets represented by thedrop/pass summary record

435,011FW_SUMMARY_PKT_CNT

Defines the level of the logged event

• 0x01—Per box

• 0x02—VRF

• 0x03—Zone

• 0x04—Class map

• Other values are undefined

433003FW_EVENT_LEVEL

Defines the identifier for theFW_EVENT_LEVEL field

• If FW_EVENT_LEVEL is 0x02(VRF), this field represents VRF_ID.

• If FW_EVENT_LEVEL is 0x03(zone), this field representsZONE_ID.

• If FW_EVENT_LEVEL is 0x04(class map), this field representsCLASS_ID.

• In all other cases the field ID will be0 (zero). If FW_EVENT_LEVEL isnot present, the value of this fieldmust be zero.

433,004FW_EVENT_LEVEL_ID




Value that represents the configuredhalf-open, aggressive-aging, andevent-rate monitoring limit. Theinterpretation of this field value dependson the associated FW_EXT_EVENTfield.

433,005FW_CONFIGURED_VALUE

Extended event-rate monitoring code233,006FW_ERM_EXT_EVENT

Extended event-rate monitoring eventdescription string

N (string)33,007FW_ERM_EXT_EVENT_DESC

1 Internet Control Message Protocol2 Simple Network Management Protocol3 virtual routing and forwarding4 Coordinated Universal Time5 Authentication, Authorization, and Accounting

HSL MessagesThe following are sample syslog messages from an Cisco ASR 1000 Series Aggregation Services Router:

Table 2: Syslog Messages and Their Templates

HSL TemplateMessage DescriptionMessage Identifier

FW_TEMPLATE_DROP_V4 orFW_TEMPLATE_DROP_V6

Dropping %s pkt from %s %CA:%u=>%CA:%u (target:class)-(%s:%s)%s%s with ip ident %u %s %s

Explanation: Packet dropped byfirewall inspection.

%s: tcp/udp/icmp/unknown prot/L7prot

%s:interface

%CA:%u ip/ip6 addr: port

%s:%s: zone pair name/ class name

%s "due to"

%s: fw_ext_event name

%u ip ident

%s: if tcp, tcp seq/ack number and tcpflags

%s: username

FW-6-DROP_PKT

Type: Info


Firewall High-Speed LoggingHSL Messages


FW_TEMPLATE_START_AUDIT_V4 orFW_TEMPLATE_START_AUDIT_V6

(target:class)-(%s:%s):Start%s session:initiator (%CA:%u) -- responder(%CA:%u) from %s %s %s

Explanation: Start of an inspectionsession. This message is issued at thestart of each inspection session and itrecords the source/destination addressesand ports.

%s:%s: zonepair name: class name

%s: l4/l7 protocolname


%s : interface

%s : username

%s : TODO

Actual log:

*Jan 21 20:13:01.078:%IOSXE-6-PLATFORM: F0: cpp_cp:CPP:00 Thread:125TS:00000010570290947309%FW-6-SESS_AUDIT_TRAIL_START:Start tcp session: initiator(10.1.1.1:43365) -- responder(10.3.21.1:23) from FastEthernet0/1/0

FW-6-SESS_AUDIT_TRAIL_START

Type: Info




FW_TEMPLATE_STOP_AUDIT_V4 orFW_TEMPLATE_STOP_AUDIT_V6

(target:class)-(%s:%s):Stop%s session:initiator (%CA:%u) sent %u bytes --responder (%CA:%u) sent %u bytes ,from %s %s

Explanation: Per-session transactionlog of network activities. This messageis issued at the end of each inspectionsession, and it records thesource/destination addresses and ports,and the number of bytes transmitted bythe client and the server.


%s: l4/l7 protocolname


%u bytes counters

%s: interface

%s : TODO

Actual log:

*Jan 21 20:13:15.889:%IOSXE-6-PLATFORM: F0: cpp_cp:CPP:00 Thread:036TS:00000010585102587819%FW-6-SESS_AUDIT_TRAIL: Stoptcp session: initiator (10.1.1.1:43365)sent 35 bytes -- responder (11.1.1.1:23)sent 95 bytes, from FastEthernet0/1/0

FW-6-SESS_AUDIT_TRAIL

Type: Info

FW_TEMPLATE_ALERT_TCP_HALF_OPEN_V4orFW_TEMPLATE_ALERT_TCP_HALF_OPEN_V6with fw_ext_event id:FW_EXT_ALERT_UNBLOCK_HOST

(target:class)-(%s:%s):New TCPconnections to host %CA no longerblocked

Explanation: New TCP connectionattempts to the specified host are nolonger blocked. This message indicatesthat the blocking of new TCPconnection attempts to the specifiedhost has been removed.


%CA: ip/ip6 addr

FW-4-UNBLOCK_HOST

Type: Warning




FW_TEMPLATE_ALERT_TCP_HALF_OPEN_V4orFW_TEMPLATE_ALERT_TCP_HALF_OPEN_V6with fw_ext_event id:FW_EXT_ALERT_HOST_TCP_ALERT_ON

"(target:class)-(%s:%s):Max tcphalf-open connections (%u) exceededfor host %CA.

Explanation: Exceeded themax-incomplete host limit for half-openTCP connections. This messageindicates that a high number ofhalf-open connections is coming to aprotected server, and this may indicatethat a SYN flood attack is in progress.


%u: half open cnt

%CA: ip/ip6 addr

FW-4-HOST_TCP_ALERT_ON

Type: Warning

FW_TEMPLATE_ALERT_TCP_HALF_OPEN_V4orFW_TEMPLATE_ALERT_TCP_HALF_OPEN_V6with fw_ext_event id:FW_EXT_ALERT_BLOCK_HOST

(target:class)-(%s:%s):Blocking newTCP connections to host %CA for %uminute%s (half-open count %uexceeded).

Explanation: Exceeded themax-incomplete host threshold for TCPconnections. Any subsequent new TCPconnection attempts to the specifiedhost is denied, and the blocking optionis configured to block all subsequentnew connections. The blocking will beremoved when the configured blocktime expires.


%CA: ip/ip6 addr

%u blackout min

%s: s if > 1 min blackout time

%u: half open counter

FW-2-BLOCK_HOST

Type: Critical




FW_TEMPLATE_ALERT_HALFOPEN_V4orFW_TEMPLATE_ALERT_HALFOPEN_V6:with fw_ext_event idFW_EXT_SESS_RATE_ALERT_ON

(target:class)-(%s:%s):%s, count(%u/%u) current rate: %u

Explanation : Either themax-incomplete high threshold ofhalf-open connections or the newconnection initiation rate has beenexceeded. This error message indicatesthat an unusually high rate of newconnections is coming through thefirewall, and a DOS attack may be inprogress. This message is issued onlywhen the max-incomplete highthreshold is crossed.


%s: "getting aggressive"

%u/%u halfopen cnt/high

%u: current rate

FW-4-ALERT_ON

Type: Warning

FW_TEMPLATE_ALERT_HALFOPEN_V4orFW_TEMPLATE_ALERT_HALFOPEN_V6:with fw_ext_event idFW_EXT_SESS_RATE_ALERT_OFF

(target:class)-(%s:%s):%s, count(%u/%u) current rate: %u

Explanation: Either the number ofhalf-open connections or the newconnection initiation rate has gonebelow the max-incomplete lowthreshold. This message indicates thatthe rate of incoming new connectionshas slowed down and new connectionsare issued only when themax-incomplete low threshold iscrossed.


%s: "calming down"

%u/%u halfopen cnt/high

%u: current rate

FW-4-ALERT_OFF

Type: Warning




FW_TEMPLATE_ALERT_MAX_SESSIONNumber of sessions for the firewallpolicy on "(target:class)-(%s:%s)exceeds the configured sessionsmaximum value %u

Explanation: The number of establishedsessions have crossed the configuredsessions maximum limit.


%u: max session

FW-4-SESSIONS_MAXIMUM

Type: Warning

FW_TEMPLATE_PASS_V4 orFW_TEMPLATE_PASS_V6

Passing %s pkt from %s %CA:%u =>%CA:%u (target:class)-(%s:%s)%s%swith ip ident %u

Explanation: Packet is passed byfirewall inspection.

%s: tcp/udp/icmp/unknown prot

%s:interface

%CA:%u src ip/ip6 addr: port

%CA:%u dst ip/ip6 addr: port


%s %s: "due to", "PASS action foundin policy-map"

%u: ip ident

FW-6-PASS_PKT

Type: Info

FW_TEMPLATE_SUMMARY_V4 orFW_TEMPLATE_SUMMARY_V6 withFW_EVENT: 3 - drop 4 - pass

%u packet%s %s from %s %CA:%u=>%CA:%u (target:class)-(%s:%s)%s

Explanation : Log summary for thenumber of packets dropped/passed

%u %s: pkt_cnt, "s were" or "was"

%s: "dropped"/ "passed"

%s: interface

%CA:%u src ip/ip6 addr: port

%CA:%u dst ip/ip6 addr: port


%s: username

FW-6-LOG_SUMMARY

Type: Info



Firewall Extended EventsThe event name of the firewall extended event maps the firewall extended event value to an event ID. Usethe event name option record to obtain the mapping between an event value and an event ID.

Extended events are not part of standard firewall events (inspect, pass, or drop).

The following table describes the firewall extended events applicable prior to Cisco IOS XE Release 3.9S.

Table 3: Firewall Extended Events and Event Descriptions for Releases earlier than Cisco IOS XE Release 3.9S

DescriptionEvent IDValue

No specific extended event.FW_EXT_LOG_NONE0

NewTCP connection attempts to the specifiedhost are no longer blocked.

FW_EXT_ALERT_UNBLOCK_HOST1

Maximum incomplete host limit for half-openTCP connections are exceeded.

FW_EXT_ALERT_HOST_TCP_ALERT_ON2

All subsequent new TCP connection attemptsto the specified host are denied because themaximum incomplete host threshold ofhalf-open TCP connections is exceeded, andthe blocking option is configured to blocksubsequent new connections.

FW_EXT_ALERT_BLOCK_HOST3

Maximum incomplete high threshold ofhalf-open connections is exceeded, or the newconnection initiation rate is exceeded.

FW_EXT_SESS_RATE_ALERT_ON4

Number of half-open TCP connections isbelow the maximum incomplete lowthreshold, or the new connection initiationrate has gone below themaximum incompletelow threshold.

FW_EXT_SESS_RATE_ALERT_OFF5

Reset connection.FW_EXT_RESET6

Drop connection.FW_EXT_DROP7

No new session is allowed.FW_EXT_L4_NO_NEW_SESSION10

Invalid TCP segment.FW_EXT_L4_INVALID_SEG12

Invalid TCP sequence number.FW_EXT_L4_INVALID_SEQ13

Invalid TCP acknowledgment (ACK).FW_EXT_L4_INVALID_ACK14

Invalid TCP flags.FW_EXT_L4_INVALID_FLAGS15

Invalid TCP checksum.FW_EXT_L4_INVALID_CHKSM16

Invalid TCP window scale.FW_EXT_L4_INVALID_WINDOW_SCALE18


Firewall High-Speed LoggingFirewall Extended Events


Invalid TCP options.FW_EXT_L4_INVALID_TCP_OPTIONS19

Invalid Layer 4 header.FW_EXT_L4_INVALID_HDR20

OoO 6 invalid segment.FW_EXT_L4_OOO_INVALID_SEG21

Synchronized (SYN) flood packets aredropped.

FW_EXT_L4_SYNFLOOD_DROP24

Session is closed while receiving packets.FW_EXT_L4_SCB_CLOSED25

Firewall internal error.FW_EXT_L4_INTERNAL_ERR26

OoO segment.FW_EXT_L4_OOO_SEG27

Invalid retransmitted packet.FW_EXT_L4_RETRANS_INVALID_FLAGS28

Invalid SYN flag.FW_EXT_L4_SYN_IN_WIN29

Invalid reset (RST) flag.FW_EXT_L4_RST_IN_WIN30

Stray TCP segment.FW_EXT_L4_STRAY_SEG31

Sending reset message to the responder.FW_EXT_L4_RST_TO_RESP32

Closing a session.FW_EXT_L4_CLOSE_SCB33

Invalid ICMP 7 packet.FW_EXT_L4_ICMP_INVAL_RET34

Maximumhalf-open session limit is exceeded.FW_EXT_L4_MAX_HALFSESSION37

Resources (memory) are not available.FW_EXT_NO_RESOURCE38

Invalid zone.FW_EXT_INVALID_ZONE40

Zone pairs are not available.FW_EXT_NO_ZONE_PAIR41

Traffic is not allowed.FW_EXT_NO_TRAFFIC_ALLOWED42

Packet fragments are dropped.FW_EXT_FRAGMENT43

PAM 8 action is dropped.FW_EXT_PAM_DROP44

Not a session-initiating packet.

Occurs due to one of the following reasons:

• If the protocol is TCP, the first packet isnot a SYN packet.

• If the protocol is ICMP, the first packetis not an ECHO or a TIMESTAMPpacket.

FW_EXT_NOT_INITIATOR45




ICMP error packets came in burst mode. Inburst mode, packets are sent repeatedlywithout waiting for a response from theresponder interface.

FW_EXT_ICMP_ERROR_PKTS_BURST48

More than one ICMP error of type“destination unreachable” is received.

FW_EXT_ICMP_ERROR_MULTIPLE_UNREACH49

Embedded packet in the ICMP error messagehas an invalid sequence number.

FW_EXT_ICMP_ERROR_L4_INVALID_SEQ50

Embedded packet in the ICMP error messagehas an invalid acknowledge (ACK) number.

FW_EXT_ICMP_ERROR_L4_INVALID_ACK51

Never used.FW_EXT_MAX52

6 Out-of-Order7 Internet Control Message Protocol8 Port-to-Application Mapping

The following table describes the firewall extended events from that are applicable to Cisco IOS XE Release3.9S and later releases.

Table 4: Firewall Extended Events and Event Descriptions for Cisco IOS XE Release 3.9S and Later Releases


No specific extended event.FW_EXT_LOG_NONE0

Small datagram that cannot contain theLayer 4 ICMP, TCP, or UDP headers.

FW_EXT_FW_DROP_L4_TYPE_INVALID_HDR1

Did not contain an ACK flag, or a RST flagwas set in the SYN/ACK packet during theTCP three-way handshake and the packethad an invalid sequence number.

FW_EXT_FW_DROP_L4_TYPE_INVALID_ACK_FLAG2


• When a packet’s ACK value is lessthan the connection’s oldestunacknowledged sequence number.

• When a packet’s ACK value is greaterthan the connection’s next sequencenumber.

• For SYN/ACK or ACK packetsreceived during the three-wayhandshake, the sequence number is notequal to the initial sequence numberplus 1.

FW_EXT_FW_DROP_L4_TYPE_INVALID_ACK_NUM3




The first packet of a flow was not a SYNpacket.

FW_EXT_FW_DROP_L4_TYPE_INVALID_TCP_INITIATOR

4

The SYN packet contains the payload andthese SYN packet is not supported.

FW_EXT_FW_DROP_L4_TYPE_SYN_WITH_DATA

5

Invalid length for the TCP window-scaleoption.

FW_EXT_FW_DROP_L4_TYPE_INVALID_TCP_WIN_SCALE_OPTION

6

An invalid TCP segment was received inthe SYNSENT state.


• SYN/ACK has a payload.

• SYN/ACKhas other flags (push [PSH],urgent [URG], finish [FIN]) set.

• Retransmit SYN message with apayload or invalid TCP flags (ACK,PSH, URG, FIN, RST) was received.

• A non-SYN packet was received fromthe initiator.

FW_EXT_FW_DROP_L4_TYPE_INVALID_SEG_SYNSENT_STATE

7

A retransmitted SYN packet contains apayload or received a packet from theresponder.

FW_EXT_FW_DROP_L4_TYPE_INVALID_SEG_SYNRCVD_STATE

8

Packet is older (lesser than) than thereceiver’s current TCP window.

FW_EXT_FW_DROP_L4_TYPE_INVALID_SEG_PKT_TOO_OLD

9

The sequence number of the packet isoutside (greater than) the receiver’s TCPwindow.

FW_EXT_FW_DROP_L4_TYPE_INVALID_SEG_PKT_WIN_OVERFLOW

10

A packet containing a payload was receivedfrom the sender after a FIN message wasreceived.

FW_EXT_FW_DROP_L4_TYPE_INVALID_SEG_PYLD_AFTER_FIN_SEND

11

TCP flags associated with the packet are notvalid. This may occur for the followingreasons:

• Extra flags along with the SYN flag,are set in the initial packet. Only theSYN flag is allowed in the initialpacket.

• Expected SYN/ACK did not contain aSYN flag, or the SYN/ACK containedextraneous flags in the second packetof the three-way handshake.

FW_EXT_FW_DROP_L4_TYPE_INVALID_FLAGS12




Invalid sequence number.


• The sequence number is less than theISN 9.

• The sequence number is equal to theISN but not equal to a SYN packet.

• If the receive window size is zero andthe packet contains data, or if thesequence number is greater than thelast ACK number.

• Sequence number falls beyond the TCPwindow.

FW_EXT_FW_DROP_L4_TYPE_INVALID_SEQ13

A retransmitted packet was alreadyacknowledged by the receiver.

FW_EXT_FW_DROP_L4_TYPE_RETRANS_INVALID_FLAGS

14

The packet contains a TCP segment thatarrived prior to the expected next segment.

FW_EXT_FW_DROP_L4_TYPE_L7_OOO _SEG15

Maximum-incomplete sessions configuredfor the policy have been exceeded and thehost is in block time.

FW_EXT_FW_DROP_L4_TYPE_SYN_FLOOD_DROP

16

Exceeded the number of allowed half-opensessions.

FW_EXT_FW_DROP_L4_TYPE_MAX_HALFSESSION

17

Exceeded the maximum number ofsimultaneous inspectable packets allowedper flow. The number is currently set toallow 25 simultaneous packets to beinspected. The simultaneous inspectionprevents any one flow from monopolizingmore than its share of processor resources.

FW_EXT_FW_DROP_L4_TYPE_TOO_MANY_PKTS

18

Exceeded the maximum number of ICMPerror packets allowed per flow. This log istriggered by the firewall base inspection.

FW_EXT_FW_DROP_L4_TYPE_TOO_MANY_ICMP_ERR_PKTS

19

Retransmitted SYN/ACK from theresponder included a payload. Payloads arenot allowed during a TCP three-wayhandshake negotiation.

FW_EXT_FW_DROP_L4_TYPE_UNEXPECT_TCP_PYLD

20

Packet direction is undefined.FW_EXT_FW_DROP_L4_TYPE_INTERNAL_ERR_UNDEFINED_DIR

21




A TCP packet of an established sessionarrived with the SYN flag set. A SYN flagis not allowed after the initial two packetsof the three-way handshake.

FW_EXT_FW_DROP_L4_TYPE_SYN _IN_WIN22

A TCP packet with the RST flag set wasreceived with a sequence number that isoutside the last received acknowledgment.The packet may be sent out of order.

FW_EXT_FW_DROP_L4_TYPE_RST _IN_WIN23

An unexpected packet was received afterthe flow was torn down, or a packet wasreceived from the responder before theinitiator sent a valid SYN flag.

FW_EXT_FW_DROP_L4_TYPE_ STRAY_SEG24

A SYN/ACK flag was expected from theresponder. However, a packet with aninvalid sequence number was received. Thezone-based firewall sent a RST flag to theresponder.

FW_EXT_FW_DROP_L4_TYPE_ RST_TO_RESP25

The ICMP packet is NAT 10 translated; butinternal NAT information is missing. Aninternal error.

FW_EXT_FW_DROP_L4_TYPE _INTERNAL_ERR_ICMP_NO_NAT

26

Failed to allocate an ICMP error packetduring an ICMP inspection.

FW_EXT_FW_DROP_L4_TYPE _INTERNAL_ERR_ICMP_ALLOC_FAIL

27

The classification result did not have therequired statistics memory. The policyinformation was not properly downloadedto the data plane.

FW_EXT_FW_DROP_L4_TYPE_INTERNAL_ERR_ICMP_GET_STAT_BLK_FAIL

28

Packet direction is not defined.FW_EXT_FW_DROP_L4_TYPE_INTERNAL_ERR_ICMP_DIR_NOT_IDENTIFIED

29

Received an ICMP packet while the sessionis being torn down.

FW_EXT_FW_DROP_L4_TYPE_ICMP_SCB_CLOSE

30

No IP header in the payload of the ICMPerror packet.

FW_EXT_FW_DROP_L4_TYPE_ICMP_PKT_NO_IP_HDR

31

The ICMP error packet has no IP or ICMP,which is probably due to a malformedpacket.

FW_EXT_FW_DROP_L4_TYPE_ICMP_ERROR_NO _IP_NO_ICMP

32

The ICMP error packet exceeded the burstlimit of 10

FW_EXT_FW_DROP_L4_TYPE_ ICMP_ERROR_PKTS_BURST

33

The ICMP error packet exceeded the“Unreachable” limit. Only the firstunreachable packet is allowed to pass.

FW_EXT_FW_DROP_L4_TYPE_ ICMP_ERROR_MULTIPLE_UNREACH

34




The sequence number of the embeddedpacket does not match the sequence numberof the TCP packet that triggers the ICMPerror packet.

FW_EXT_FW_DROP_L4_TYPE_ ICMP_ERROR_L4_INVALID_SEQ

35

The TCP packet contained in an ICMP errorpacket payload has an ACK flag that wasnot seen before.

FW_EXT_FW_DROP_L4_TYPE_ ICMP_ERROR_L4_INVALID_ACK

36

The ICMP error packet length is less thanthe IP header length plus the ICMP headerlength.

FW_EXT_FW_DROP_L4_TYPE_ ICMP_PKT_TOO_SHORT

37

Resources exceeded the session limit whilepromoting for an imprecise channel.

FW_EXT_FW_DROP_L4_TYPE_SESSION_LIMIT38

A TCP packet was received on a closedsession.

FW_EXT_FW_DROP_L4_TYPE_ SCB_CLOSE39

A policy is not present in a zone pair.FW_EXT_FW_DROP_INSP_TYPE_POLICY_NOT_PRESENT

40

A zone pair is configured in the same zone,but the zone does not have any policies.

FW_EXT_FW_DROP_INSP_TYPE_SESS_MISS_POLICY _NOT_PRESENT

41

The classification action is to drop thenon-ICMP, TCP, and UDP packets.

FW_EXT_FW_DROP_INSP_TYPE_CLASS_ACTION_DROP

44

The classification action is to drop the PAMentry.

FW_EXT_FW_DROP_INSP_TYPE_PAM_LOOKUP_FAIL

45

Failed to get the statistic block from theclassification result bytes.

FW_EXT_FW_DROP_INSP_TYPE_INTERNAL_ERR_ GET_STAT_BLK_FAIL

48

The maximum entry limit for SYN floodpackets is reached.

FW_EXT_FW_DROP_SYNCOOKIE_TYPE_SYNCOOKIE _MAX_DST

49

Cannot allocate memory for the destinationtable entry.

FW_EXT_FW_DROP_SYNCOOKIE_TYPE_INTERNAL _ERR_ALLOC_FAIL

50

The SYN cookie logic is triggered. Indicatesthat the SYN/ACK with the SYN cookiewas sent and the original SYN packet wasdropped.

FW_EXT_FW_DROP_SYNCOOKIE_TYPE_SYN_COOKIE _TRIGGER

51

The first fragment of a VFR 11 packet isdropped and all associated remainingfragments will be dropped.

FW_EXT_FW_DROP_POLICY_TYPE_FRAG_DROP

52

The classification action is to drop thepacket.

FW_EXT_FW_DROP_POLICY_TYPE_ACTION_DROP

53




The policy action of the ICMP embeddedpacket is DROP.

FW_EXT_FW_DROP_POLICY_TYPE_ICMP_ACTION_DROP

54

Layer 7 ALG 12 does not inspectinspect-segmented packets.

FW_EXT_FW_DROP_L7_TYPE_ NO_SEG55

Layer 7 ALG does not inspect fragmentedpackets.

FW_EXT_FW_DROP_L7_TYPE_ NO_FRAG56

Unknown application protocol type.FW_EXT_FW_DROP_L7_TYPE_UNKNOWN_PROTO

57

Layer 7 ALG inspection resulted in a packetdrop.

FW_EXT_FW_DROP_L7_TYPE_ALG_RET_DROP58

Session creation has failed.FW_EXT_FW_DROP_NONSESSION _TYPE59

During initial HA 13 states, a new session isnot allowed.

FW_EXT_FW_DROP_NO_NEW_SESSION_TYPE60

Not a session initiator packet.FW_EXT_FW_DROP_NOT_ INITIATOR_TYPE61

When default zones are not enabled, trafficis only allowed between interfaces that areassociated with security zones.

FW_EXT_FW_DROP_INVALID _ZONE_TYPE62

The firewall is not configured.FW_EXT_FW_DROP_NO_ FORWARDING_TYPE64

The firewall backpressure can be enabled ifHSL 14 is enabled, and the HSL logger wasunable to send a log message. Backpressurewill remain enabled until HSL is able tosend a log.

FW_EXT_FW_DROP_ BACKPRESSURE_TYPE65

During SYN processing, host rate limits aretracked. The host entry could not beallocated.

FW_EXT_FW_DROP_L4_TYPE_INTERNAL_ERR_SYNFLOOD_ALLOC_HOSTDB_FAIL

66

If the configured half-open connection limitis exceeded and blackout time is configured,all new connections to the specified IPaddress are dropped.

FW_EXT_FW_DROP_L4_TYPE_SYNFLOOD_BLACKOUT_DROP

67

A failed policy. When an ALG attempts topromote a session because no zone pairs areconfigured, the policy fails.

FW_EXT_FW_DROP_L7_TYPE_PROMOTE_FAIL_NO_ZONE_PAIR

68

A failed policy. When an ALG attempts topromote a session due to no policy, thepolicy fails.

FW_EXT_FW_DROP_L7_TYPE_PROMOTE_FAIL_NO_POLICY

69




A packet is received after theContext-Aware firewall (CXSC) requesteda teardown.

FW_EXT_FW_DROP_L4_TYPE_ONEFW_SCB_CLOSE

CXSC is not running.FW_EXT_FW_DROP_L4_TYPE_ONEFW_FAIL_CLOSE

9 initial sequence number10 Network Address Translation11 virtual fragmentation and reassembly12 application layer gateway13 high availability14 high-speed logging

How to Configure Firewall High-Speed Logging

Enabling High-Speed Logging for Global Parameter MapsBy default, high-speed logging (HSL) is not enabled and firewall logs are sent to a logger buffer located inthe Route Processor (RP) or the console. When HSL is enabled, logs are sent to an off-box, high-speed logcollector. Parameter maps provide a means of performing actions on the traffic that reaches a firewall and aglobal parameter map applies to the entire firewall session table. Perform this task to enable high-speed loggingfor global parameter maps.

SUMMARY STEPS

1. enable2. configure terminal3. parameter-map type inspect global4. log dropped-packets5. log flow-export v9 udp destination ip-address port-number6. log flow-export template timeout-rate seconds7. end

DETAILED STEPS

PurposeCommand or Action

Enables privileged EXEC mode.enable

Example:

Step 1

• Enter your password if prompted.Device> enable

Enters global configuration mode.configure terminal

Example:

Step 2

Device# configure terminal


Firewall High-Speed LoggingHow to Configure Firewall High-Speed Logging


Configures a global parameter map and entersparameter-map type inspect configuration mode.

parameter-map type inspect global

Example:

Step 3

Device(config)# parameter-map type inspect global

Enables dropped-packet logging.log dropped-packets

Example:

Step 4

Device(config-profile)# log dropped-packets

Enables NetFlow event logging and provides the IP addressand the port number of the log collector.

log flow-export v9 udp destination ip-address port-number

Example:

Step 5

Device(config-profile)# log flow-export v9 udpdestination 10.0.2.0 5000

Specifies the template timeout value.log flow-export template timeout-rate seconds

Example:

Step 6

Device(config-profile) log flow-export templatetimeout-rate 5000

Exits parameter-map type inspect configuration mode andreturns to privileged EXEC mode.

end

Example:

Step 7

Device(config-profile)# end

Enabling High-Speed Logging for Firewall ActionsPerform this task enable high-speed logging if you have configured inspect-type parameter maps. Parametermaps specify inspection behavior for the firewall and inspection parameter-maps for the firewall are configuredas the inspect type.

SUMMARY STEPS

1. enable2. configure terminal3. parameter-map type inspect parameter-map-name4. audit-trail on5. alert on6. one-minute {low number-of-connections | high number-of-connections}7. tcp max-incomplete host threshold8. exit9. policy-map type inspect policy-map-name10. class type inspect class-map-name11. inspect parameter-map-name12. end


Firewall High-Speed LoggingEnabling High-Speed Logging for Firewall Actions

DETAILED STEPS


Enables privileged EXEC mode.enable

Example:

Step 1

• Enter your password if prompted.Device> enable

Enters global configuration mode.configure terminal

Example:

Step 2

Device# configure terminal

Configures an inspect parameter map for connectingthresholds, timeouts, and other parameters pertaining to

parameter-map type inspect parameter-map-name

Example:

Step 3

the inspect keyword, and enters parameter-map typeinspect configuration mode.Device(config)# parameter-map type inspect

parameter-map-hsl

Enables audit trail messages.audit-trail on

Example:

Step 4

• You can enable audit-trail to a parameter map torecord the start, stop, and duration of a connection orsession, and the source and destination IP addresses.

Device(config-profile)# audit-trail on

Enables stateful-packet inspection alert messages that aredisplayed on the console.

alert on

Example:

Step 5

Device(config-profile)# alert on

Defines the number of new unestablished sessions thatcause the system to start deleting half-open sessions andstop deleting half-open sessions.

one-minute {low number-of-connections | highnumber-of-connections}

Example:

Step 6

Device(config-profile)# one-minute high 10000

Specifies the threshold and blocking time values for TCPhost-specific, denial of service (DoS) detection andprevention.

tcp max-incomplete host threshold

Example:Device(config-profile)# tcp max-incomplete host100

Step 7

Exits parameter-map type inspect configuration mode andreturns to global configuration mode.

exit

Example:

Step 8

Device(config-profile)# exit

Creates an inspect-type policy map and enters policy mapconfiguration mode.

policy-map type inspect policy-map-name

Example:

Step 9

Device(config)# policy-map type inspectpolicy-map-hsl

Specifies the traffic class on which an action is to beperformed and enters policy-map class configurationmode.

class type inspect class-map-name

Example:

Step 10


Firewall High-Speed LoggingEnabling High-Speed Logging for Firewall Actions

PurposeCommand or ActionDevice(config-pmap)# class type inspectclass-map-tcp

(Optional) Enables stateful packet inspection.inspect parameter-map-name

Example:

Step 11

Device(config-pmap-c)# inspect parameter-map-hsl

Exits policy-map class configuration mode and returns toprivileged EXEC mode.

end

Example:

Step 12

Device(config-pmap-c)# end

Configuration Examples for Firewall High-Speed Logging

Example: Enabling High-Speed Logging for Global Parameter Maps

The following example shows how to enable logging of dropped packets, and to log error messagesin NetFlow Version 9 format to an external IP address:Device# configure terminalDevice(config)# parameter-map type inspect globalDevice(config-profile)# log dropped-packetsDevice(config-profile)# log flow-export v9 udp destination 10.0.2.0 5000Device(config-profile)# log flow-export template timeout-rate 5000Device(config-profile)# end

Example: Enabling High-Speed Logging for Firewall Actions

The following example shows how to configure high-speed logging (HSL) for inspect-typeparameter-map parameter-map-hsl.Device# configure terminalDevice(config)# parameter-map type inspect parameter-map-hslDevice(config-profile)# audit trail onDevice(config-profile)# alert onDevice(config-profile)# one-minute high 10000Device(config-profile)# tcp max-incomplete host 100Device(config-profile)# exitDevice(config)# poliy-map type inspect policy-map-hslDevice(config-pmap)# class type inspect class-map-tcpDevice(config-pmap-c)# inspect parameter-map-hslDevice(config-pmap-c)# end


Firewall High-Speed LoggingConfiguration Examples for Firewall High-Speed Logging

Additional References for Firewall High-Speed LoggingRelated Documents

Document TitleRelated Topic

Cisco IOS Master Commands List, All ReleasesCisco IOS commands

• Cisco IOS Security CommandReference: CommandsA to C

• Cisco IOS Security CommandReference: CommandsD to L

• Cisco IOS Security Command Reference: CommandsM to R

• Cisco IOS Security CommandReference: CommandsS to Z

Security commands

Technical Assistance

LinkDescription

http://www.cisco.com/cisco/web/support/index.htmlTheCisco Support andDocumentationwebsite providesonline resources to download documentation, software,and tools. Use these resources to install and configurethe software and to troubleshoot and resolve technicalissues with Cisco products and technologies. Access tomost tools on the Cisco Support and Documentationwebsite requires a Cisco.com user ID and password.

Feature Information for Firewall High-Speed LoggingThe following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.


Firewall High-Speed LoggingAdditional References for Firewall High-Speed Logging

http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-a1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-a1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-d1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-d1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/sec-m1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/sec-m1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-s1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-s1-cr-book.html

http://www.cisco.com/support

http://www.cisco.com/go/cfn

Table 5: Feature Information for Firewall High-Speed Logging

Feature InformationReleasesFeature Name

The Firewall High-Speed Logging Support feature introducessupport for the firewall HSL using NetFlow Version 9 as theexport format.

The following commands were introduced or modified: logdropped-packet, log flow-export v9 udp destination, logflow-export template timeout-rate, parameter-map typeinspect global.

Cisco IOS XERelease 2.1

Firewall High-SpeedLogging


Firewall High-Speed LoggingFeature Information for Firewall High-Speed Logging


Firewall High-Speed LoggingFeature Information for Firewall High-Speed Logging